CVE-2024-52287 MEDIUM

CVE-2024-52287: authentik performs insufficient validation of OAuth scopes

Vendor Goauthentik

Product authentik

Weakness CWE-285

Published November 21, 2024

Last update November 21, 2024

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue.

Key dates

02Disclosure timeline

November 21, 2024 CVE published

November 21, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-52287 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

Identifiers

CVE CVE-2024-52287

CWE CWE-285

CVSS 6.4 / MEDIUM

Affected versions

Vendor Goauthentik

Product authentik

Affected < 2024.8.5

Vendor Goauthentik

Product authentik

Affected >= 2024.10.0-rc1, < 2024.10.3

CVE-2024-52287: authentik performs insufficient validation of OAuth scopes

01Description

02Disclosure timeline

03References

04Related CVE